[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(usagi-users 04011) Why USAGI IPsec bypass OSPF packets?

To: usagi-users@xxxxxxxxxxxxxx
Subject: (usagi-users 04011) Why USAGI IPsec bypass OSPF packets?
From: Liu Ya <liuya@xxxxxxxxxx>
Date: Wed, 19 Dec 2007 20:49:18 +0800
Reply-to: usagi-users@xxxxxxxxxxxxxx
Thread-index: AchCPZHmyuTZcqdZTyC6Rp2aHH6DRA==

Dear all,

I am new to USAGI. I met a problem when I attempted to protect ospf
packets using USAGI IPsec. All ospf packets are bypassed although the
SPD rules and SAD entries were installed. But other protocols packets,
such as ICMP echo/reply packets, have no such problems.  If you have
met such problem, could you please tell me how to solve it? 

Thanks.
Liu

P.S., I use manual keying method with setkey IPsec tool. The routers
are x86 hard platforms with FedoraCore 4 OS installed. The linux
kernel version is 2.6.11. More detailed congifurations are as follows.

[root@localhost router]# setkey -D
192.168.1.97 224.0.0.5
        ah mode=transport spi=1234(0x000004d2) reqid=0(0x00000000)
        A: hmac-sha1  01234567 89abcdef 01234567 89abcdef 01234567
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Dec 20 19:31:48 2007   current: Dec 20 19:31:55 2007
        diff: 7(s)      hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=2 pid=10275 refcnt=0
192.168.1.97 192.168.1.1
        ah mode=tunnel spi=1236(0x000004d4) reqid=0(0x00000000)
        A: hmac-sha1  01234567 89abcdef 01234567 89abcdef 01234567
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Dec 20 19:31:48 2007   current: Dec 20 19:31:55 2007
        diff: 7(s)      hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=10275 refcnt=0
192.168.1.97 192.168.1.1
        ah mode=transport spi=1235(0x000004d3) reqid=0(0x00000000)
        A: hmac-sha1  01234567 89abcdef 01234567 89abcdef 01234567
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Dec 20 19:31:48 2007   current: Dec 20 19:31:55 2007
        diff: 7(s)      hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=10275 refcnt=0
[root@localhost router]# setkey -DP
192.168.1.0/24[any] 192.168.1.0/24[any] ospf
        out prio def + 12 ipsec
        ah/tunnel/192.168.1.97-192.168.1.1/require
        created: Dec 20 19:31:52 2007  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=3257 seq=2 pid=10278
        refcnt=1
192.168.1.0/24[any] 192.168.1.0/24[any] icmp
        out prio def + 11 ipsec
        ah/transport//require
        created: Dec 20 19:31:52 2007  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=3249 seq=1 pid=10278
        refcnt=1
192.168.1.97/24[any] 224.0.0.5[any] ospf
        out prio def + 10 ipsec
        ah/transport//require
        created: Dec 20 19:31:52 2007  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=3241 seq=0 pid=10278
        refcnt=1
[root@localhost router]#uname -a
Linux localhost.localdomain 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56
EDT 2005 i686 i686 i386 GNU/Linux

Prev by Date: (usagi-users 04010) Re: Questions regarding the operation of MIPv6
Next by Date: (usagi-users 04012) Is it possible to encrypt all packets in Reverse tunelling?
Previous by thread: (usagi-users 04010) Re: Questions regarding the operation of MIPv6
Next by thread: (usagi-users 04012) Is it possible to encrypt all packets in Reverse tunelling?
Index(es):
- Date
- Thread